[pve-devel] [PATCH qemu-server] restrict monitor API call to Sys.Modify
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Nov 4 09:42:17 CET 2016
because this allows adding arbitrary devices to VMs (and
other potentially dangerous things)
---
PVE/API2/Qemu.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 34a5d5d..e6fbb1b 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -2775,7 +2775,7 @@ __PACKAGE__->register_method({
proxyto => 'node',
description => "Execute Qemu monitor commands.",
permissions => {
- check => ['perm', '/vms/{vmid}', [ 'VM.Monitor' ]],
+ check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => {
additionalProperties => 0,
--
2.1.4
More information about the pve-devel
mailing list